Azure SQL Database is a cloud-based relational database family of products that support many of the same features offered in Microsoft SQL Server. Azure SQL Database provides an easy transition from an on-premises database to a cloud-based database that has built-in diagnostics, redundancy, security, and scalability.
Azure SQL Database security recommendations
The following sections describe the Azure SQL Database recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation.
An Azure Storage account provides a unique namespace where you can store and access your Azure Storage data objects.
Azure Storage account security recommendations
The following sections describe the Azure Storage recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Microsoft Defender for Cloud provides unified security management and advanced threat protection for workloads that run in Azure, on-premises, and in other clouds. The following Defender for Cloud recommendations, if followed, will set various security policies on an Azure subscription. These policies define the set of controls that are recommended for your resources with an Azure subscription.
Microsoft Defender for Cloud security recommendations
The following sections describe the Microsoft Defender for Cloud recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Your organization decides to use Microsoft Entra ID to manage secure access. Users include doctors, external healthcare partners, and all internal staff members. You’re asked to look into implementing secure access for your organization.
Here, you learn how to take a phased approach to deploying Microsoft Entra ID for your organization. You learn how to lay a foundation, deploy Microsoft Entra ID by creating a tenant, and associate a subscription with it.
Deploy in phases
A good way to deploy Microsoft Entra ID is in phases. Your deployment is split into several stages. Each stage addresses a key aspect of Microsoft Entra ID. A phase includes the tasks you need to complete before you go to the next stage. This approach lays a secure foundation for your Microsoft Entra instance.
You can also use Azure AD B2C to manage your customers’ identities and access. You want to give your doctors’ accounts protected access to resources and services. Use Azure AD B2C to securely authenticate the doctors through their preferred identity providers.
AD B2C also helps you monitor for threats like brute force attacks and denial-of-service attacks on doctors’ user accounts. To use Azure AD B2C, you first register your apps. Then, you configure user flows to set up the user’s journey to access an app.
For example, a flow for the sign-in process might go like this:
On their browser or mobile phone, the user goes to the app they want to access.
The user is required to complete the sign-in form.
If the credentials are verified and multifactor authentication is enabled, the user receives a verification code on their phone.
The user provides the code they received.
The user is granted access to the app.
This feature is available on a pay-as-you-go basis.
Microsoft Entra Domain Services
Microsoft Entra Domain Services lets you add virtual machines to a domain without needing domain controllers. Your internal staff users can access virtual machines by using their company Microsoft Entra credentials.
Use this service to reduce the complexity of migrating on-premises apps to Azure. An organization could also use Microsoft Entra Domain Services to handle its infrastructure if it runs apps both on-premises and in the cloud. The process might go like this:
The organization deploys its apps and servers in a virtual network on Azure.
Microsoft Entra Connect Sync synchronizes identity information between the on-premises Active Directory instance and the organization’s tenant in Microsoft Entra ID.
The company enables Microsoft Entra Domain Services on their Microsoft Entra tenant.
The apps and servers in Azure can use features like domain joining and Kerberos authentication.
This feature is available for pay-as-you-go, based on the total number of objects in your domain managed by Microsoft Entra Domain Services. Objects can include users, groups, and domain-joined computers.
Your company wants to improve how it provides services to doctors and how it collaborates with external healthcare organizations. You’re asked to investigate what other capabilities and services Microsoft Entra ID can provide for the organization.
Here, we explore some essential features of Microsoft Entra ID and how you can use them. Specifically, we look at Microsoft Entra B2B, Azure AD B2C, Microsoft Entra Domain Services (AD DS), and Microsoft Entra ID Protection. Features, that you can use to help improve how you manage apps in Microsoft Entra ID.
Microsoft Entra B2B
Use Microsoft Entra ID to invite external users to your tenant. Your organization can then collaborate with external healthcare partner staff members through Microsoft Entra B2B Collaboration.
For example, your company works with external healthcare partners. You can invite these partners as guest users to your tenant. When their work is done, you can revoke access for those external partners until they need it again.
Here’s the B2B collaboration process:
The external user either receives an email invitation that includes a redemption link or gets a direct link.
The user selects the redemption link to access the apps they were invited to.
If multifactor authentication is set up, the user receives a verification code on their phone.
The user provides the code they received.
The user can access the app, whether it’s on-premises or in the cloud.
This feature is available for all licensing tiers in Microsoft Entra ID.
Your company always looks for the most experienced healthcare professionals and external contractors with whom to work. Research projects can become costly if they’re not managed properly. Your company wants to improve its cost effectiveness. The company asks you to investigate how Microsoft Entra ID is licensed. They also want you to provide a clear and concise outline of the critical terminology they might come across in Microsoft Entra ID.
In this unit, you explore how Microsoft Entra ID is licensed and which features fall under the different licenses. You see how to add or change licenses in Microsoft Entra ID, and you learn the key terms you need to understand when you use Microsoft Entra ID.
Microsoft Entra ID licenses
You can use different features of Microsoft Entra ID, depending on the type of license you choose:
Microsoft Entra ID Free: You can manage users and groups, and you get necessary reports, on-premises Active Directory synchronization, and self-service password reset for Microsoft Entra users. You also get single sign-on for Microsoft 365, Azure services, and many non-Microsoft SaaS applications.
Pay-as-you-go licenses for specific features: You can access specific Microsoft Entra features, like Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.
Office 365 Apps: You get all the free tier features, but you can also have custom sign-in and sign out pages, self-service password reset for cloud users, and device write-back.
Microsoft Entra ID P1: You get all the features from the free tier, but you can also let users access on-premises and cloud-based services and resources. You can use self-service group management or dynamic groups, where users are added and removed automatically based on your criteria. This tier supports on-premises identity-management suites like Microsoft Identity Manager. Self-service password reset is also supported for users who are based on-premises.
Microsoft Entra ID P2: You get all the features of the previous two tiers, along with Microsoft Entra ID Protection. This feature helps you configure risk-based Conditional Access to protect applications from identity risks. You can also use privileged identity management, which lets you monitor and put detailed restrictions on Administrators.
Microsoft Entra ID Governance: An advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra ID Governance is available as six products: Microsoft Entra ID Governance, Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2, Entra ID Governance Frontline Worker, Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, Microsoft Entra ID Governance for Government, and Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government. These six products differ only in their prerequisites. They contain the entitlement management, privileged identity management, and access reviews capabilities that were in Microsoft Entra ID P2, plus additional advanced identity governance capabilities.
Microsoft Entra Suite: A complete cloud-based solution for workforce access, available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra Suite brings together Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection, and Microsoft Entra Verified ID. The Microsoft Entra ID Governance portion provides the same identity governance capabilities as the Microsoft Entra ID Governance product. The difference is that they have different prerequisites.
The board wants to enable secure and easy access to applications and services. These applications are available to internal staff and doctors from various countries/regions. Your team manager believes that Microsoft Entra ID can address these needs. Your manager wants you to find out what Microsoft Entra ID is, how it works, and what it does.
Here, you get an overview of Microsoft Entra ID and see why you would use it. You learn about the differences between Microsoft Entra ID and the traditional on-premises Active Directory.
What is Microsoft Entra ID?
Microsoft Entra ID is a cloud-based identity-management solution. It helps your company’s internal users to:
Access external resources like Azure services, Microsoft 365, and third-party SaaS applications.
Access internal resources such as applications on the corporate network and cloud-based applications that your company builds.
Fusion Development Teams create better software faster by empowering Citizen Developers—business professionals—to build applications that solve unique problems, with support from their Professional Developer peers.
The Field Inventory Management System problem involves individuals from field technician, inventory management, and software development roles.
The way Caleb, Maria, and Kiana organize themselves illustrates how many Fusion Development Teams operate effectively.
Development process
“Here’s the interesting thing about Power Apps,” Maria began, “you don’t need a background in software development to create an app that solves a specific business problem.”
She continued, “The trickiest part is knowing when and how to ask for help: recognizing when Power Apps doesn’t offer the functionality you need and involving the software development team.”
Kiana agreed. “Even though Citizen Developers build Power Apps, they still need help from us Professional Developers.”
“Exactly,” Maria said. “Professional Developers often create Power Apps too, especially to replace legacy systems quickly.”
Maria added, “Citizen Developers might use existing web APIs to get data or work with Professional Developers to create new ones. Even better, if Power Apps doesn’t offer a UI control, a Professional Developer can build one.”
“So it sounds like Professional Developers are essential to building Power Apps and supporting Fusion Development Teams,” Kiana concluded.
One way to increase tech intensity at VanArsdel Heating and Air Conditioning is to enable cross-department collaboration in building software solutions. These apps are created by business professionals—also known as Citizen Developers—tailored to their specific needs and supported by data and functionality provided by Professional Developers. Together, Citizen Developers and Professional Developers form a Fusion Development Team.
The VanArsdel Fusion Development Team is focused on solving a business challenge they call the “Field Inventory Management System.”
As the newest employee at VanArsdel, you’re assigned to take notes while Caleb, the lead field technician, describes an inefficient workflow that costs him and his team many hours each day.
The field inventory management system
A flowchart of the current inventory management workflow shows the multiple steps and roles involved:
While performing a repair in the field, Caleb may discover he needs a part that isn’t on his truck.
He might call a nearby technician to see if they have the part available.
If not, he travels back to the central warehouse to pick it up, completing a paper form to log the inventory removal.
If the part is not in stock, he fills out a different form to request the part be ordered.
Caleb notes that if they didn’t spend time retrieving parts, the team could serve more customers each day.
Malik, the office manager, adds that field technicians often call him to check inventory availability, which interrupts his own work and responsibilities.
Maria, who leads supply chain management, shares how this manual process affects her team:
Technicians sometimes forget to record when they remove parts, leading to inaccurate inventory counts.
Her team must frequently conduct manual inventory audits to maintain accuracy.
She reviews paper part request forms multiple times a day to ensure inventory is restocked as needed.
Maria uses a legacy web application, built by Kiana, to track inventory and order parts from vendors.
Kiana notes that IT has prioritized other initiatives, which has delayed modernization of the inventory application.
